In addition to the many forms of cyber crime, one kind of data theft often goes unnoticed in public reporting and perception: RFID technology and so-called RFID skimming.
The data stored on the chip is read by attackers. For example, criminals can quickly focus on their own bank cards. Every year, around 7 million pounds are captured.
What is behind the RFID technology?
Radio Frequency Identification (RFID) is a technology for automatic, contactless identification of objects. Electromagnetic waves (similar to a radio) can also be used to automatically capture, store and locate data of objects at close range. The communication standard NFC is a specialization of RFID technology for small distances.
How widespread the technology is is also reflected in the amount of damage. An incident in June 2018 attracted attention: Europol searched for, found and arrested numerous criminals. The damage is estimated at approximately 8 million EUR.
Where is RFID technology used?
RFID technology has existed since the 1940s. It has been used since the 1960s as a useful technology for identifying machines, materials and other haptic elements in industry. A practical example is the machine tool, which is equipped with an abundance of drills. In order to be able to select the right drill, it must first “know” each drill. This is successfully realized with a small RFID chip and since the age of industry4.0, the industry can no longer be imagined without it.
There is an almost infinite number of possible applications of RFID technology. From electronic locks, access controls, animal identification (“animal chip”), fuel cards, electronic immobilizers, to contactless payment systems, as well as ID documents (identity card, passport) RFID technology is used. This fact has already led to numerous fake news:
- If everyone uses an RFID chip?
- Hidden RFID chip in TÜV badges?
- All newborns will be implanted with a microchip as of 2018
But of course RFID technology is also used in medical technology. The “VeriChip” becomes a kind of electronic health record in which emergency information from a patient is stored and can be quickly read out if necessary. The chip is implanted with a injection under the human skin. Alternatively, there are systems that are implemented in wristbands.
How does RFID work?
An RFID system consists of a transponder with a unique identifier that generates a high frequency field for both data transmission and power supply, and a reader. In addition, of course, a suitable reader is required to read out the data provided.
What are the risks of RFID technology?
No direct contact to the reader is required to read the information from an RFID chip. However, it is necessary to be within close proximity. The robbery is therefore usually not immediately noticed.
RFID attack methods
Creation of motion profiles
Cloning & Emulation
Creation of an RFID duplicate
Listening/modifying data traffic by “hanging in-between”
Read the stored data
attack extension by range increase
Spoofing & Replay
Data manipulation and faking of the RFID transponder
Denial of Service
Disable the RFID system
Introduction of malware for data manipulation
In reality, the attackers lurk for the victims mostly in highly frequented places such as shopping malls, airports, train stations, and public festivals. The probability of attracting attention there is simply lower than in less frequented places.
For example, the attackers let a smartphone glide slowly over the surface of their victims’ bags or jackets. If an RFID/NFC-enabled product (perhaps a bank card) is detected, the attackers are informed via a signal from the smartphone. The process only takes seconds. The attackers then cause the captured data to be used for shopping on the Internet, for example. Only when the victims analyze the turnover/account statements of their accounts are the debits noticed. But then the attackers are long gone.
How can I protect myself from RFID?
Since virtually anyone can read a bank card and copy the contents of the transponder if they can get close enough to the device, it is advisable to protect themselves effectively. We at AWARE7 therefore recommend that you only allow data traffic during direct payment and otherwise block it. This is relatively easy with bank cards.
With an RFID Blocker-Card you can get a protective cover for your RFID/NFC capable cards, which shields the inserted cards and makes them almost invisible for attackers. A further aid can be to carry another card of the technology with you. Especially with NFC, the payment process from the wallet no longer works perfectly, with another card.
However, your personal data is also important. Therefore it is also important to protect not only your bank cards, but also your identity card and passport. You can get these envelopes for a small mark on the net.
This post is also available in: Deutsch (German)